Google Cloud TCP Proxy Load Balancing allows you to use a single IP address for all users around the world. TCP Proxy Load Balancing automatically routes traffic to the instances that are closest to the user.
This guide contains instructions for setting up TCP Proxy Load Balancing. Before you start, read the TCP Proxy Load Balancing overview for information about how TCP Proxy Load Balancing works.
Overview
This example demonstrates setting up global TCP Proxy Load Balancing for
a simple service that exists in two regions: us-central1
and us-east1
.
For purposes of the example, the service is a set of Apache
servers configured to respond on port 110
. Many browsers do not
allow port 110
, so the testing section uses curl
.
In this example, you configure the following:
- Four instances distributed between two regions
- Instance groups, which contain the instances
- A health check for verifying instance health
- A backend service, which monitors the instances and prevents them from exceeding configured usage
- The target TCP proxy
- An external static IPv4 address and forwarding rule that sends user traffic to the proxy
- An external static IPv6 address and forwarding rule that sends user traffic to the proxy
- A firewall rule that allows traffic from the load balancer and health checker to reach the instances
After the load balancer is configured, you test the configuration.
Permissions
To follow this guide, you must be able to create instances and modify a network in a project. You must be either a project owner or editor, or you must have all of the following Compute Engine IAM roles:
Task | Required Role |
---|---|
Create networks, subnets, and load balancer components | Network Admin |
Add and remove firewall rules | Security Admin |
Create instances | Compute Instance Admin |
For more information, see the following guides:
Configuring instances and instance groups
This section shows how to create simple instance groups, add instances to them, then add those instances to a backend service with a health check. A production system would normally use managed instance groups based on instance templates, but this configuration is quicker for initial testing.
Configuring instances
For testing purposes, install Apache on four instances, two in each of two instance groups. Typically, TCP Proxy Load Balancing isn't used for HTTP traffic, but Apache is commonly-used software and is easy to set up for testing.
In this example, the instances are created with the tag tcp-lb
. This tag is
used later by the firewall rule.
Console
Create instances
- Go to the VM instances page in the Google Cloud Console.
Go to the VM instances page - Click Create instance.
- Set Name to
ig-us-central1-1
. - Set the Region to
us-central1
. - Set the Zone to
us-central1-b
. - Click Management, security, disks, networking, sole tenancy to reveal advanced settings.
- Under Management, click Networking and populate the Tags field with
tcp-lb
. - Click Management and enter the following script in the Startup script field:
sudo apt-get update sudo apt-get install apache2 -y sudo sed -i '/Listen 80/c\Listen 110' /etc/apache2/ports.conf sudo service apache2 restart echo '<!doctype html><html><body><h1>ig-us-central1-1</h1></body></html>' | sudo tee /var/www/html/index.html
- Leave the default values for rest of the fields.
- Click Create.
- Create
ig-us-central1-2
with the same settings, except with the following script in the Startup script field:sudo apt-get update sudo apt-get install apache2 -y sudo sed -i '/Listen 80/c\Listen 110' /etc/apache2/ports.conf sudo service apache2 restart echo '<!doctype html><html><body><h1>ig-us-central1-2</h1></body></html>' | sudo tee /var/www/html/index.html
- Create
ig-us-east1-1
with the same settings, except with Region set tous-east1
and Zone set tous-east1-b
. Enter the following script in the Startup script field:sudo apt-get update sudo apt-get install apache2 -y sudo sed -i '/Listen 80/c\Listen 110' /etc/apache2/ports.conf sudo service apache2 restart echo '<!doctype html><html><body><h1>ig-us-east1-1</h1></body></html>' | sudo tee /var/www/html/index.html
- Create
ig-us-east1-2
with the same settings, except with Region set tous-east1
and Zone set tous-east1-b
. Enter the following script in the Startup script field:sudo apt-get update sudo apt-get install apache2 -y sudo sed -i '/Listen 80/c\Listen 110' /etc/apache2/ports.conf sudo service apache2 restart echo '<!doctype html><html><body><h1>ig-us-east1-2</h1></body></html>' | sudo tee /var/www/html/index.html
gcloud
Create
ig-us-central1-1
in zoneus-central1-b
gcloud compute instances create ig-us-central1-1 \ --image-family debian-9 \ --image-project debian-cloud \ --tags tcp-lb \ --zone us-central1-b \ --metadata startup-script="#! /bin/bash sudo apt-get update sudo apt-get install apache2 -y sudo sed -i '/Listen 80/c\Listen 110' /etc/apache2/ports.conf sudo service apache2 restart echo '<!doctype html><html><body><h1>ig-us-central1-1</h1></body></html>' | tee /var/www/html/index.html EOF"
Created [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/zones/us-central1-b/instances/ig-us-central1-1]. NAME ZONE MACHINE_TYPE PREEMPTIBLE INTERNAL_IP EXTERNAL_IP STATUS ig-us-central1-1 us-central1-b n1-standard-1 10.240.0.8 23.251.150.133 RUNNING
Create
ig-us-central1-2
in zoneus-central1-b
gcloud compute instances create ig-us-central1-2 \ --image-family debian-9 \ --image-project debian-cloud \ --tags tcp-lb \ --zone us-central1-b \ --metadata startup-script="#! /bin/bash sudo apt-get update sudo apt-get install apache2 -y sudo sed -i '/Listen 80/c\Listen 110' /etc/apache2/ports.conf sudo service apache2 restart echo '<!doctype html><html><body><h1>ig-us-central1-2</h1></body></html>' | tee /var/www/html/index.html EOF"
Created [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/zones/us-central1-b/instances/ig-us-central1-2]. NAME ZONE MACHINE_TYPE PREEMPTIBLE INTERNAL_IP EXTERNAL_IP STATUS ig-us-central1-2 us-central1-b n1-standard-1 10.240.0.11 23.251.148.160 RUNNING
Create
ig-us-east1-1
in zoneus-east1-b
gcloud compute instances create ig-us-east1-1 \ --image-family debian-9 \ --image-project debian-cloud \ --tags tcp-lb \ --zone us-east1-b \ --metadata startup-script="#! /bin/bash sudo apt-get update sudo apt-get install apache2 -y sudo sed -i '/Listen 80/c\Listen 110' /etc/apache2/ports.conf sudo service apache2 restart echo '<!doctype html><html><body><h1>ig-us-east1-1</h1></body></html>' | tee /var/www/html/index.html EOF"
Created [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/zones/us-east1-b/instances/ig-us-east1-1]. NAME ZONE MACHINE_TYPE PREEMPTIBLE INTERNAL_IP EXTERNAL_IP STATUS ig-us-east1-1 us-east1-b n1-standard-1 10.240.0.12 104.196.31.214 RUNNING
Create
ig-us-east1-2
in zoneus-east1-b
gcloud compute instances create ig-us-east1-2 \ --image-family debian-9 \ --image-project debian-cloud \ --tags tcp-lb \ --zone us-east1-b \ --metadata startup-script="#! /bin/bash sudo apt-get update sudo apt-get install apache2 -y sudo sed -i '/Listen 80/c\Listen 110' /etc/apache2/ports.conf sudo service apache2 restart echo '<!doctype html><html><body><h1>ig-us-east1-2</h1></body></html>' | tee /var/www/html/index.html EOF"
Created [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/zones/us-east1-b/instances/ig-us-east1-2]. NAME ZONE MACHINE_TYPE PREEMPTIBLE INTERNAL_IP EXTERNAL_IP STATUS ig-us-east1-2 us-east1-b n1-standard-1 10.240.0.13 104.196.25.101 RUNNING
Creating an instance group for each zone and adding instances
Console
- Go to the Instance groups page in the Cloud Console.
Go to the Instance groups page - Click Create instance group.
- Click New unmanaged instance group.
- Set the Name to
us-ig1
. - Set the Zone to
us-central1-b
. - Click Specify port name mapping.
A load balancer sends traffic to an instance group through a named
port.
Create a named port to map the incoming traffic to a specific port
number.
- Set Port name to
tcp110
. - Set Port numbers to
110
.
- Set Port name to
- Under VM instances, select
ig-us-central1-1
andig-us-central1-2
. - Leave the other settings as they are.
- Click Create.
- Repeat the steps, but set the following values:
- Name:
us-ig2
- Region:
us-east1
- Zone:
us-east1-b
- Port name:
tcp110
- Port numbers:
110
- Instances: ig-us-east1-1 and ig-us-east1-2.
- Name:
gcloud
Create the
us-ig1
instance group.gcloud compute instance-groups unmanaged create us-ig1 \ --zone us-central1-b
Created [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/zones/us-central1-b/instanceGroups/us-ig1]. NAME LOCATION SCOPE NETWORK MANAGED INSTANCES us-ig1 us-central1-b zone 0
Create a named port for the instance group.
gcloud compute instance-groups set-named-ports us-ig1 \ --named-ports tcp110:110 \ --zone us-central1-b
Updated [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/zones/us-east1-b/instanceGroups/us-ig2].
Add
ig-us-central1-1
andig-us-central1-2
tous-ig1
gcloud compute instance-groups unmanaged add-instances us-ig1 \ --instances ig-us-central1-1,ig-us-central1-2 \ --zone us-central1-b
Updated [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/zones/us-central1-b/instanceGroups/us-ig1].
Create the
us-ig2
instance group.gcloud compute instance-groups unmanaged create us-ig2 \ --zone us-east1-b
Created [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/zones/us-east1-b/instanceGroups/us-ig2]. NAME LOCATION SCOPE NETWORK MANAGED INSTANCES us-ig2 us-east1-b zone 0
Create a named port for the instance group.
gcloud compute instance-groups set-named-ports us-ig2 \ --named-ports tcp110:110 \ --zone us-east1-b
Updated [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/zones/us-east1-b/instanceGroups/us-ig2].
Add
ig-us-east1-1
andig-us-east1-2
tous-ig2
gcloud compute instance-groups unmanaged add-instances us-ig2 \ --instances ig-us-east1-1,ig-us-east1-2 \ --zone us-east1-b
Updated [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/zones/us-east1-b/instanceGroups/us-ig2].
You now have one instance group per region. Each instance group has two VM instances.
Configuring the load balancer
Console
Create the load balancer and configure a backend service
- Go to the Load balancing page in the Google Cloud Console.
Go to the Load balancing page - Click Create load balancer.
- Start the load balancer configuration:
- Under TCP load balancing, click Start configuration.
- Set Internet facing or internal only to From Internet to my VMs.
- Set Multiple regions or single region to Multiple regions.
- Click Continue.
- Set the Name to
my-tcp-lb
. - Click Backend configuration.
- Under Backend type, select Instance groups.
- Under Protocol, select TCP.
- Configure the first backend:
- Under New backend, select instance group
us-ig1
. - Retain the remaining default values.
- Under New backend, select instance group
- Configure the second backend:
- Click Add backend.
- Select instance group
us-ig2
. - Under Port numbers, delete
80
and add110
.
- Configure the health check:
- Under Health check, select Create health check.
- Set the health check Name to
my-tcp-health-check
. - Under Protocol, select TCP.
- Set Port to
110
.
- Retain the remaining default values.
- Click Save and continue.
- In the Google Cloud Console, verify that there is a check mark next to Backend configuration. If not, double-check that you have completed all of the steps.
Configure frontend services
- Click Frontend configuration.
- Add the first forwarding rule:
- Enter a Name of
my-tcp-lb-forwarding-rule
. - Under Protocol, select TCP.
- Under IP address, select Create IP address:
- Enter a Name of
tcp-lb-static-ip
. - Click Reserve.
- Enter a Name of
- Set Port to
110
. - (Optional) Under Proxy Protocol, select On. For more information, see Proxy protocol.
- Click Done.
- Enter a Name of
- Add the second forwarding rule:
- Click Add frontend IP and port.
- Enter a Name of
my-tcp-lb-ipv6-forwarding-rule
. - Under Protocol, select TCP.
- Set IP version to
IPv6
. - Under IP address, click Create IP address.
- Enter a name of
tcp-lb-ipv6-static-ip
. - Click Reserve.
- Enter a name of
- Set Port to
110
. - (Optional) Under Proxy Protocol, select On.
- Click Done.
- In the Google Cloud Console, verify that there is a check mark next to Frontend configuration. If not, double-check that you have completed all the previous steps.
Review and finalize
- Click Review and finalize.
- Double-check your settings.
- Click Create.
gcloud
Create a health check
gcloud compute health-checks create tcp my-tcp-health-check --port 110
Created [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/healthChecks/my-tcp-health-check]. NAME PROTOCOL my-tcp-health-check TCP
Create a backend service
gcloud compute backend-services create my-tcp-lb \
--global-health-checks \
--global \
--protocol TCP \
--health-checks my-tcp-health-check \
--timeout 5m \
--port-name tcp110
Created [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/backendServices/my-tcp-lb]. NAME BACKENDS PROTOCOL my-tcp-lb TCP
Alternatively, you can configure encrypted communication from the load
balancer to the instances with --protocol SSL
.
Add instance groups to your backend service
gcloud compute backend-services add-backend my-tcp-lb \
--global \
--instance-group us-ig1 \
--instance-group-zone us-central1-b \
--balancing-mode UTILIZATION \
--max-utilization 0.8
Updated [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/backendServices/my-tcp-lb].
gcloud compute backend-services add-backend my-tcp-lb \
--global \
--instance-group us-ig2 \
--instance-group-zone us-east1-b \
--balancing-mode UTILIZATION \
--max-utilization 0.8
Updated [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/backendServices/my-tcp-lb].
Configure a target TCP proxy
If you want to turn on the proxy header, set it to
PROXY_V1
instead of none
.
gcloud compute target-tcp-proxies create my-tcp-lb-target-proxy \
--backend-service my-tcp-lb \
--proxy-header NONE
Created [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/targetTcpProxies/my-tcp-lb-target-proxy]. NAME PROXY_HEADER SERVICE my-tcp-lb-target-proxy NONE my-tcp-lb
Reserve global static IPv4 and IPv6 addresses
Your customers can use these IP addresses to reach your load balanced service.
gcloud compute addresses create tcp-lb-static-ipv4 \
--ip-version=IPV4 \
--global
Created [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/addresses/tcp-lb-static-ipv4]. NAME REGION ADDRESS STATUS tcp-lb-static-ip [LB_STATIC_IPV4] RESERVED
gcloud compute addresses create tcp-lb-static-ipv6 \
--ip-version=IPV6 \
--global
Created [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/addresses/tcp-lb-static-ipv6]. NAME REGION ADDRESS STATUS tcp-lb-static-ip-ipv6 [LB_STATIC_IPV6] RESERVED
Configure global forwarding rules for the two addresses
In place of [LB_STATIC_IPV4] and [LB_STATIC_IPV6], enter the relevant IP
addresses. You can use gcloud compute addresses list
to find them.
gcloud beta compute forwarding-rules create my-tcp-lb-ipv4-forwarding-rule \
--global \
--target-tcp-proxy my-tcp-lb-target-proxy \
--address [LB_STATIC_IPV4] \
--ports 110
Created [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/forwardingRules/my-tcp-lb-ipv4-forwarding-rule]. NAME REGION IP_ADDRESS IP_PROTOCOL TARGET my-tcp-lb-ipv4-forwarding-rule [LB_STATIC_IPV4] TCP my-tcp-lb-target-proxy
gcloud beta compute forwarding-rules create my-tcp-lb-ipv6-forwarding-rule \
--global \
--target-tcp-proxy my-tcp-lb-target-proxy \
--address [LB_STATIC_IPV6] \
--ports 110
Created [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/forwardingRules/my-tcp-lb-ipv6-forwarding-rule]. NAME REGION IP_ADDRESS IP_PROTOCOL TARGET my-tcp-lb-ipv6-forwarding-rule [LB_STATIC_IPV6] TCP my-tcp-lb-target-proxy
Creating a firewall rule for the TCP proxy load balancer
Configure the firewall to allow traffic from the load balancer and health checker to the instances. In this case, we will open TCP port 110. The health check will use the same port. Since the traffic between the load balancer and your instances uses IPv4, only IPv4 ranges need be opened.
Console
- Go to the Firewall page in the Google Cloud Console.
Go to the Firewall page - Click Create firewall rule.
- Enter a Name of
allow-tcp-lb-and-health
. - Under Network, select
default
. - Under Targets, select Specified target tags.
- Set Target tags to
tcp-lb
. - Set Source filter to
IP ranges
. - Set Source IP ranges to
130.211.0.0/22
and35.191.0.0/16
. - Set Allowed protocols and ports to
tcp:110
. - Click Create.
gcloud
gcloud compute firewall-rules create allow-tcplb-and-health \
--source-ranges 130.211.0.0/22,35.191.0.0/16 \
--target-tags tcp-lb \
--allow tcp:110
Created [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/firewalls/allow-tcp110-130-211-0-0-22]. NAME NETWORK SRC_RANGES RULES SRC_TAGS TARGET_TAGS allow-tcplb-and-health default 130.211.0.0/22,35.191.0.0/16 tcp:110 tcp-lb
Testing your load balancer
After replacing LB_IP
with your load balancer's IPv4 or IPv6 address
from the IP:Port field, your load balancer can be accessed by running the
following command:
curl LB_IP:110
Creating Health Checks
Health checks determine which instances can receive new connections. You can configure a TCP, SSL, HTTP, or HTTPS health check for determining the health of your instances.
- If the service running on your backend instances is based on HTTP, use an HTTP health check.
- If the service running on your backend instances is based on HTTPS, use an HTTPS health check.
- If the service running on your backend instances is based on HTTP/2, use an HTTP/2 health check.
- If the service running on your backend instances uses SSL, use an SSL health check.
- Unless you have an explicit reason to use a different kind of health check, use a TCP health check.
Health check firewall rules
Health check probes to your load balanced instances come from addresses in the
ranges 130.211.0.0/22
and 35.191.0.0/16
. These are IP address ranges that
the load balancer uses to connect to backend instances. Your firewall rules
must allow these connections on the relevant port.
See the Health Checks page for details on health checks.
Additional configuration options
This section expands on the configuration example to provide alternative and additional configuration options. All of the tasks are optional. You can perform them in any order.
PROXY protocol for retaining client connection information
TCP Proxy Load Balancing terminates TCP connections from the client and creates new connections to the instances. By default, the original client IP and port information is not preserved.
To preserve and send the original connection information to your instances, enable PROXY protocol (version 1). This protocol sends an additional header that contains the source IP address, destination IP address, and port numbers to the instance as a part of the request.
If you set the PROXY protocol for user traffic, you must also set it for health checks if you are serving traffic and checking health on the same port.
The PROXY protocol header will typically be a single line of user-readable text with the following format:
PROXY TCP4 <client IP> <load balancing IP> <source port> <dest port>\r\n
An example of the PROXY protocol is shown below:
PROXY TCP4 192.0.2.1 198.51.100.1 15221 110\r\n
Where client IP is 192.0.2.1
, load balancing IP is 198.51.100.1
, client port
is 15221
and the destination port is 110
.
In cases where the client IP is not known, the load balancer will generate a PROXY protocol header in the following format:
PROXY UNKNOWN\r\n
If you are checking health and serving content on the same port, you
can set your health check --proxy-header
to match your load balancer
setting. This tutorial uses port 110 for health checking and serving content.
If you are using different ports, you can set this for your health check or not,
as appropriate.
Enabling session affinity
The example configuration creates a backend service without session affinity.
These procedures show you how to update a backend service for the example TCP proxy load balancer so that the backend service uses client IP affinity or generated cookie affinity.
When client IP affinity is enabled, the load balancer directs a particular client's requests to the same backend VM based on a hash created from the client's IP address and the load balancer's IP address (the external IP address of an external forwarding rule).
Console
To enable client IP session affinity:
- Go to the Load balancing page in the Google Cloud Console.
Go to the Load balancing page - Click Backends.
- Click my-tcp-lb (the name of the backend service you created for this example) and click Edit.
- On the Backend service details page, click Advanced configuration.
- Under Session affinity, select Client IP from the menu.
- Click Update.
gcloud
Use the following gcloud command to update the my-tcp-lb
backend
service, specifying client IP session affinity:
gcloud compute backend-services update my-tcp-lb \ --global \ --session-affinity=CLIENT_IP
API
To set client IP session affinity, make a PATCH
request to the
backendServices/patch
method.
PATCH https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/us-west1/backendServices/my-tcp-lb
{
"sessionAffinity": "CLIENT_IP"
}
Connection draining
You can enable connection draining on backend services to ensure minimal interruption to your users when an instance that is serving traffic is terminated, removed manually, or removed by an autoscaler. To learn more about connection draining, read the Enabling connection draining documentation.
TCP Proxy Load Balancing and Google Cloud firewalls
Unlike Network Load Balancing, access to TCP Proxy Load Balancing cannot be controlled by using firewall rules. This is because TCP Proxy Load Balancing is implemented at the edge of the Google Cloud and firewall rules are implemented on instances in the data center.
Monitoring
To set up monitoring for your TCP proxy load balancer, see Using monitoring.
Troubleshooting
Pages fail to load from load balancer IP
Because port 110 is a restricted port for many browsers, you must use a tool
such as curl
to test your load balancer. If you cannot reach your pages by
using curl
, the rest of this section offers some troubleshooting steps.
Verify the health of instances
Verify that the instances are HEALTHY.
gcloud compute backend-services get-health [BACKEND-SERVICE]
Confirm that your firewall rule is correct
- Both the health checker and the load balancer need
130.211.0.0/22
and35.191.0.0/16
to be open. - If you are leveraging instance tags, make sure the tag is listed as under
TARGET_TAGS in the firewall rule, and make sure all of your instances have
that tag. In this example, instances are tagged with
tcp-lb
.
gcloud compute firewall-rules list
NAME NETWORK SRC_RANGES RULES SRC_TAGS TARGET_TAGS allow-tcplb-and-health default 130.211.0.0/22,35.191.0.0/16 tcp:110 tcp-lb
Try to reach individual instances
Temporarily set a firewall rule that allows you to access your instances individually, and then try to load a page from a specific instance.
Open the firewall to allow traffic from any source to the tagged instances. Do this by creating a source filter that sets the source IP range to
0.0.0.0/0
for TCP traffic on port110
to instances with thetcp-lb
tag.gcloud compute firewall-rules create allow-tcp110-0-0-0-0 \ --source-ranges 0.0.0.0/0 \ --target-tags tcp-lb \ --allow tcp:110
Created [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/firewalls/allow-tcp110-0-0-0-0]. NAME NETWORK SRC_RANGES RULES SRC_TAGS TARGET_TAGS allow-tcp110-0-0-0-0 default 0.0.0.0/0 tcp:110 tcp-lb
Look up the EXTERNAL_IP address of one of the instances.
gcloud compute instances list
NAME ZONE MACHINE_TYPE PREEMPTIBLE INTERNAL_IP EXTERNAL_IP STATUS ig-us-central1-1 us-central1-b n1-standard-1 10.240.0.8 EXTERNAL_IP RUNNING ig-us-central1-2 us-central1-b n1-standard-1 10.240.0.11 EXTERNAL_IP RUNNING ig-us-east1-1 us-east1-b n1-standard-1 10.240.0.12 EXTERNAL_IP RUNNING ig-us-east1-2 us-east1-b n1-standard-1 10.240.0.13 EXTERNAL_IP RUNNING
Access one or more of your instances directly from your browser.
curl [EXTERNAL_IP]:110
If your instances are not accessible by this method, make sure that your software is running correctly. If your instances are accessible individually, make sure your load balancer firewall rule is correct.
gcloud compute firewall-rules describe allow-tcp-lb-and-health
allowed: IPProtocol: tcp ports: '110' creationTimestamp: '2017-03-16T15:21:34.119-07:00' description: '' id: '8144207668574597377' kind: compute#firewall name: allow-tcp-lb-and-health network: https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/networks/default selfLink: https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/firewalls/allow-tcp-lb-and-health sourceRanges: 130.211.0.0/22 35.191.0.0/16 targetTags: tcp-lb
When you're sure the instances are working, remove the "from anywhere" firewall rule.
gcloud compute firewall-rules delete allow-tcp110-0-0-0-0
The following firewalls will be deleted: [allow-tcp110-0-0-0-0] Do you want to continue (Y/n)? y Deleted [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/firewalls/allow-tcp110-0-0-0-0].
What's next
- To learn how TCP Proxy Load Balancing works, see the TCP Proxy Load Balancing overview.
- Clean up the load balancer setup.